Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2191
Views
4
Helpful
11
Replies

Cisco 9130AXE not profiled by ISE

Go to solution
Garry Cooper
Level 1
Level 1

‎02-21-2023 07:26 AM

Working on Dot1x at the moment and having an issue with ISE 3.1 not profiling an Cisco 9130AXE.

I have run the update from the feeds, this downloaded the profile for the 9130AX I then added to the correct group but it is not authorized.

Followed the same for a couple of 9120 and they are working fine.

Am I missing something.

TIA

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Garry Cooper
Level 1
Level 1

‎02-28-2023 12:56 AM

Just an update to my issue.

We had to reboot the ISE server and this has fixed the profiling issue.

Thanks for all the help.

View solution in original post

11 Replies 11

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎02-21-2023 07:31 AM

how is the port configuration of the switch that connected to 9130AX, what is the Logs in ISE Live ?

is 9120 connected to same switch ?

what switch mode ? and IOS XE code ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Rob Ingram
VIP
VIP

‎02-21-2023 07:34 AM

@Garry Cooper I assume you are referring to plugging in the 9130AXE AP into a wired dot1x enabled port and you want the AP authorised in ISE?

Have you updated the ISE profiler feed recently?

Is the switch configured with device sensor for CDP, LLDP and DHCP to send those attributes to ISE to aid profiling?

 

Go to solution
Garry Cooper
Level 1
Level 1

‎02-21-2023 07:46 AM

Yes it getting connected to the same switch port as the 9120

I have run the update from the feed.

See attached the template I created for testing I am using the closed option

 

Preview file
10 KB
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Garry Cooper

‎02-21-2023 07:52 AM

@Garry Cooper so what attributes are learnt from device sensor and sent to ISE?

From the switch run "show device-sensor cache interface gigabitEthernet x/x/x" to see what the switch has learnt. Check the endpoint in ISE and see what attributes ISE has learnt, what the certainty factor is.

What has ISE profiled the AP as "Cisco-Device" or ?

Normally you'd start off in open mode, rather than closed mode.

Go to solution
Aref Alsouqi
VIP
VIP

‎02-21-2023 07:51 AM

How those APs get profiled on ISE? are they getting profiled as Cisco APs or as unknown devices?, also, would you mind sharing the attributes page of one of those APs to look at what variables you would use to create your own customer profile?

0 Helpful

Go to solution
Garry Cooper
Level 1
Level 1

‎02-21-2023 08:02 AM

The AP is seen as a cisco switch on ISE.

The certainty factor is set to 30 same as the 9120.

NCC_6th_FLR_West#sh device-sensor cache interface tw3/0/23
Device: 00df.1d74.029c on port TwoGigabitEthernet3/0/23
----------------------------------------------------------------------------
Proto Type:Name Len Value Text
CDP 6:platform-type 20 00 06 00 14 63 69 73 63 6F ....cisco
20 43 39 31 33 30 41 58 45 C9130AXE
2D 45 -E
CDP 4:capabilities-type 8 00 04 00 08 00 00 00 03 ........
CDP 1:device-name 20 00 01 00 14 41 50 30 30 44 ....AP00D
46 2E 31 44 37 34 2E 30 32 F.1D74.02
39 43 9C

0 Helpful

Go to solution
Rodrigo Diaz
Cisco Employee
Cisco Employee

‎02-21-2023 08:04 AM

hey @Garry Cooper as per the condition that profiler on ISE needs to hit for the AP series you mention , the minimum certainty factor to be classify an endpoint is 30 , and the 2 conditions that came as default cisco provided rules give that certainty factor as the image attached shows . 

RodrigoDiaz_0-1676995226949.png

The conditions that are required are related to : 1 ) DHCP:dhcp-class-identifier or 2) CDP:cdpCachePlatform. 

Using the other comments here check if any of those attributes is being sent within the probes sent by the NAD from where the AP gets connection . You can enable profiler in debug level in the PSN from where you are getting the authentication as well to verify if any of the rules stated above for profiler is being hit . 

Let me know if that helped 

0 Helpful

Go to solution
Garry Cooper
Level 1
Level 1

‎02-21-2023 08:44 AM

I enabled the profiler logging but there doent seem to be much that shows the issue.

The mac of the ap is 00:DF:1D:74:02:9C

I attached the logs but dont know if its helpful.

Preview file
61441 KB
0 Helpful

Go to solution
Rodrigo Diaz
Cisco Employee
Cisco Employee
In response to Garry Cooper

‎02-21-2023 08:51 AM

@Garry Cooper , from the file you sent there are only INFO logs , you need to ensure that the profiler component  is set up first in DEBUG in the PSN owner of the session and then capture the logs in real time from profiler.log , image attached as reference, and from there you need to look to the endpoint you are doing testing with  

RodrigoDiaz_0-1676998235926.png

Please rate my comment if this is helping you . 

0 Helpful

Go to solution
Garry Cooper
Level 1
Level 1

‎02-23-2023 04:13 AM

@rodrigo.

Thanks for the reply and sorry for my late,

I setup the profiler as debug and have attached the debug zip file.

Thanks

Preview file
21 KB
profiler.log.2023-02-23.7.zip
0 Helpful

Go to solution
Garry Cooper
Level 1
Level 1

‎02-28-2023 12:56 AM

Just an update to my issue.

We had to reboot the ISE server and this has fixed the profiling issue.

Thanks for all the help.

Customers Also Viewed These Support Documents